Skip to content

Commit

Permalink
Add auditd example with Auditbeat in kubernetes manifests (elastic#17431
Browse files Browse the repository at this point in the history
)

Add an example configuration of the auditd module in the Auditbeat
reference manifest, including the processors needed for enrichement of
events.
  • Loading branch information
jsoriano authored Apr 6, 2020
1 parent ccb525b commit 119f324
Show file tree
Hide file tree
Showing 4 changed files with 53 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

*Auditbeat*

- Reference kubernetes manifests include configuration for auditd and enrichment with kubernetes metadata. {pull}17431[17431]
- Reference kubernetes manifests mount data directory from the host, so data persist between executions in the same node. {pull}17429[17429]
- Log to stderr when running using reference kubernetes manifests. {pull}17443[174443]
- Fix syscall kprobe arguments for 32-bit systems in socket module. {pull}17500[17500]
Expand Down
26 changes: 26 additions & 0 deletions deploy/kubernetes/auditbeat-kubernetes.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,17 @@ data:
processors:
- add_cloud_metadata:
- add_process_metadata:
match_pids: ['process.pid']
include_fields: ['container.id']
- add_kubernetes_metadata:
host: ${NODE_NAME}
default_indexers.enabled: false
default_matchers.enabled: false
indexers:
- container:
matchers:
- fields.lookup_fields: ['container.id']
cloud.id: ${ELASTIC_CLOUD_ID}
cloud.auth: ${ELASTIC_CLOUD_AUTH}
Expand Down Expand Up @@ -65,6 +76,14 @@ data:
max_file_size: 100 MiB
hash_types: [sha1]
recursive: true
- module: auditd
audit_rules: |
# Executions
-a always,exit -F arch=b64 -S execve,execveat -k exec
# Unauthorized access attempts
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
---
# Deploy a auditbeat instance per node for node metrics retrieval
apiVersion: apps/v1
Expand All @@ -86,6 +105,7 @@ spec:
serviceAccountName: auditbeat
terminationGracePeriodSeconds: 30
hostNetwork: true
hostPID: true # Required by auditd module
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: auditbeat
Expand Down Expand Up @@ -113,6 +133,12 @@ spec:
fieldPath: spec.nodeName
securityContext:
runAsUser: 0
capabilities:
add:
# Capabilities needed for auditd module
- 'AUDIT_READ'
- 'AUDIT_WRITE'
- 'AUDIT_CONTROL'
resources:
limits:
memory: 200Mi
Expand Down
19 changes: 19 additions & 0 deletions deploy/kubernetes/auditbeat/auditbeat-configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,17 @@ data:
processors:
- add_cloud_metadata:
- add_process_metadata:
match_pids: ['process.pid']
include_fields: ['container.id']
- add_kubernetes_metadata:
host: ${NODE_NAME}
default_indexers.enabled: false
default_matchers.enabled: false
indexers:
- container:
matchers:
- fields.lookup_fields: ['container.id']
cloud.id: ${ELASTIC_CLOUD_ID}
cloud.auth: ${ELASTIC_CLOUD_AUTH}
Expand Down Expand Up @@ -65,3 +76,11 @@ data:
max_file_size: 100 MiB
hash_types: [sha1]
recursive: true
- module: auditd
audit_rules: |
# Executions
-a always,exit -F arch=b64 -S execve,execveat -k exec
# Unauthorized access attempts
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
7 changes: 7 additions & 0 deletions deploy/kubernetes/auditbeat/auditbeat-daemonset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ spec:
serviceAccountName: auditbeat
terminationGracePeriodSeconds: 30
hostNetwork: true
hostPID: true # Required by auditd module
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: auditbeat
Expand Down Expand Up @@ -45,6 +46,12 @@ spec:
fieldPath: spec.nodeName
securityContext:
runAsUser: 0
capabilities:
add:
# Capabilities needed for auditd module
- 'AUDIT_READ'
- 'AUDIT_WRITE'
- 'AUDIT_CONTROL'
resources:
limits:
memory: 200Mi
Expand Down

0 comments on commit 119f324

Please sign in to comment.